Xupiter...anybody know how to

[Chuck57]

get rid of them? A friend just called me and said this site seems to have taken over his computer. He doesn't know how, but now that they're there, they won't leave.

I don't know any more than that at this point, other than that they've inserted themselves into his registry, taken control of his home page, and won't let go.

I'm firewalled, using Proxomitron with most filters enabled, but still don't feel comfortable trying to investigate the site to see who or what they are.

[Pieter_Arntz]

Here´s lots of info: http://and.doxdesk.com/parasite/Xupiter.html

Wish him luck for me,

Pieter

You will find at this link a post by Name Game that will give you a direct download link to the Xupiter site and a page that will give you the uninstaller and the proceedure to do it. You must follow the instructions.. If you do the plugin will go away.

http://www.dslreports.com/forum/rema...ty,1~mode=flat

This is a link to the FAQ for Xuipter.
http://www.xupiter.com/help.html



I will post it here also the Uninstaller.

NOTE THIS IS A DIRECT DOWNLOAD LINK.

http://www.xupiter.com/uninstall/

Also note that after you run the uninstaller (make sure no other programs are running) you must immediately Reboot your machine for it to take affect.

Good luck it seems to work for everyone to date.

I will also tell you that none of the Spyware Groups I know of are going after Xupiter today. Xupiter has been pretty upfront on how the do business on the Net..They have unstallers of their products and a good FAQ section.

I guess until that changes..you just have to put up with them.

[Chuck57]

Boy, that was quick response. I'll note those URL's and pass them on. I can't believe nobody is doing anything about this outfit. Whether they post uninstallers or not, it's an intrusion.

Please do get the word out..now a favor..can you find out where he/she did get it..I am keeping track of that.

If we find out it is in an unsavory way..by websites that are their partners..then that should be noted. But it can not be just and IE setting thing were one could have prevented it with better security setting instead of having it wide open..so far have found that most just download it to see what it was...thanks Chuck,

Regards,

John

[Paul Wilders]

Kuddos, John!

regards.

paul

Just trying to pay back the great Moderators, you have in here, in a small way for all the help they have given to others. They are very resourceful..and this is fun.

[Pieter_Arntz]

Quote:

quoting: MyNethingyman link=board=22;threadid=3713;start=0#24903 date=1032293136]
Just trying to pay back the great Moderators, you have in here, in a small way for all the help they have given to others. They are very resourceful..and this is fun.

Well, keep it up. I think you´re good at it

Regards,

Pieter

[Chuck57]

it was an About.com pop up that got him. I've given him the URL's and expect he's in the process of ridding himself of Xupiter. I also told him to download Proxomitron or a similar pop up killer.

[Chuck57]

that he doesn't remember what website he was on when he got hit, which is probably the most important thing.

[Mike_Healan]

This is from my latest newsletter, which won't load right now, because someone tripped over a golf ball or something and knocked the waxed string out of the back of my site's web server. ;(

Anyway....

==================================================
A new "drive-by downloader" has come onto the scene recently. Xupiter.com's browser toolbar has been finding its way onto the computers of countless people via activex installation, and people all over the net have been running around in circles trying to figure out what to do with it. There is an enormous thread at the message boards about this which nearly broke the record for replies to a single topic, and smashed the record for page views with nearly 7,000 hits.

Spybot S&D will soon be updated to handle this software and the other spyware removal companies have been sent the relevant information. If your company produces spyware/adware/hijacker/<insert term here> removal software and you haven't already been receiving notification of potential new targets from me, please contact me to give me an appropriate contact address.

If you have this thing installed and wish to get rid of it now, the manual instructions are as follows (with apologies to Tony Klein for snitching his instructions):

Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the 'XupiterStartup' entry in the Right Hand pane.

Also delete the following Registry Keys:

HKEY_CURRENT_USER\Software\Xupiter
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Reboot, and delete the entire Program Files\Xupiter directory.

You're also likely to have a Xupiter ActiveX object in your Downloaded Program Files folder. Find that one, rightclick it, and choose properties. It has the following ID: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Now rightclick the file, and choose delete.

Next, delete the Xupiter folder in Program Files.

Finally, go to Internet Options/Programs, and hit "Reset Web Settings".

Many, many, many, many thanks to the dozens of people that contributed information to that thread. Most especially to one of the moderators at the forums, who goes by Mr Bones, who actually installed the software to log its installation process.

[TonyKlein]

Additionally, a Xupiter install also adds the following Favorites folders you will want to remove: Business, Computers, Cool Stuff, Entertainment, Gaming, Lifestyle, and Shopping.

BTW, I've heard that a SpyBot S&D update due out later today is to include Xupiter detection, which will be a boon for a lot of people.

[Paul Wilders]

Quote:

BTW, I've heard that a SpyBot S&D update due out later today is to include Xupiter detection, which will be a boon for a lot of people.

That's for sure! Let's see what Patrick comes up with .

regards.

paul

[Primrose]

"This is from my latest newsletter, which won't load right now, because someone tripped over a golf ball or something and knocked the waxed string out of the back of my site's web server. ;( "
___________
Floss twice...keep the string taunt..use bigger coffee cans to get the word out.... on your back swing..just keep your eye on that golf ball.

Thanks for the update.

[Mike_Healan]

Quote:

quoting: Primrose link=board=22;threadid=3713;start=0#25322 date=1032694181]
"This is from my latest newsletter, which won't load right now, because someone tripped over a golf ball or something and knocked the waxed string out of the back of my site's web server. ;( "
___________
Floss twice...keep the string taunt..use bigger coffee cans to get the word out.... on your back swing..just keep your eye on that golf ball.

Thanks for the update.

ROFL!!

Hi,
The Spybot's new update includesXupiter

[TonyKlein]

Updates of Sept, 22nd:
updated hijacker: CnsMin
added hijacker: Xupiter
added trojan: MS7531, Element
updated spyware: Aureate, HuntBar
added Dialer: TIBS (PayPerViewDialer)
updated dialer: All-In-One Telcom, TTW, Huysuzseks

[Primrose]

You also have two other methods you can try.


First:Manually you can rename XTUPDATE.DLL

Second:

BHODemon
What does BHODemon do?
BHODemon scans your Registry for BHOs, and presents any it finds in a list. By highlighting a BHO in this list, and clicking the "Details" button, you can see information about this BHO, and even disable it if you wish. BHOs are disabled by simply renaming the DLL that houses them. By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish. Why would you want to do that? Because the program that installed the BHO will not run if it can't find the DLL: Go!Zilla, for example, won't run if you remove its BHOs.

http://www.definitivesolutions.com/bhodemon.htm


The second method here I am told will take care of more that Xupiter as they try to get the attention of your browser.

Small 127K program.

[TonyKlein]

You'll have trouble renaming Xupdate.dll as it will be in use by Windows.

The short method is going to Start > Run > Msconfig, and unchecking XupiterStartup.

Click OK and close Msconfig.

Disable the BHO or delete its registry key.
Now reboot, and rename or delete the dll.

[Primrose]

You'll have trouble renaming Xupdate.dll as it will be in use by Windows.

How about your safe or DOS I never had any problems
____________________________________________


Browser Helper Objects: The Browser the Way You Want It
Click here to download sample - 5267.exe.

Dino Esposito
Microsoft Corporation

January 1999

Summary: Describes how to use BHOs to customize your browser. (16 printed pages) Covers:

Introduction
Program Customization
What Are Browser Helper Objects?
The Lifecycle of Helper Objects
The IObjectWithSite Interface
Writing a Browser Helper Object
Detecting Who's Calling
Getting in Touch with WebBrowser
Getting Events from the Browser
Accessing the Document Object
Managing the Code Window
Registration of Helper Objects
Summary

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbrowse/html/bho.asp

[TonyKlein]

Yes, I know, but why just rename the dll?

Let's get rid of the entire thing. That sounds like a much more sensible option.

[Primrose]

Yes, I know,

OK

Now we have upteen methods.

yours is fine also. Glad you posted it.

Not interested in a competion.

[TonyKlein]

Neither am I.

I'm sorry to hear you seem to regard it as such.

Cheers,

[microwiz3]

Hope this might be of some help!
Here is where my wife "acquired" Xupiter recently:

http://wwx.dollhouseminiaturesclub.freeservers.com

Then go to the "Craftroom" and a screen extoling the virtues of Xupiter having a "certificate" should appear.
(The usual ActiveX approval screen).

Interestingly enough although I found it on her computer it had never activated. I just happened to see a directory named Xupiter when I was looking around for something else. Removed without a hitch.

Also Lavasoft (AdAware) has included Xupiter in the files as of 9-24-02. I went in and "acquired" it just to test and AdAware caught it and removed it with no problem.

I don't think we have seen the last of these guys. Hope this helps. Happy computing!

URL provided has been altered for security reasons - Forum Admin